Connection Rate Limiting

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

Introduction

Shorewall supports several mechanisms for limiting connection rates.
These are described in the following sections.

Rates are expressed in terms of a connections per unit
time and a burst. An
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
(connections/{sec|min|hour|day|week|month}[:burst]

Example: 4/min:5

Connections = 4

Unit of time = 1 minute

Interval = 1 minute/4 = 15 seconds.

Burst = 5

As each connection arrives,if the burst count is > 0 the
burst count is reduced by one and the connection is
accepted. After each interval (15 seconds) that passes without a
connection arriving, the burst count is incremented
by 1 but is not allowed to exceed its initial setting (5).

By default, the aggregate connection rate is limited. If the
specification is preceded by "s:" or
"d:", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.

Policy Rate Limiting

The LIMIT column in the /etc/shorewall/policy
file applies to TCP connections that are subject to the policy. The
limiting is applied BEFORE the connection request is passed through the
rules generated by entries in /etc/shorewall/rules.
Those connections in excess of the limit are logged and dropped.

Rules Rate Limiting

The RATE LIMIT column in the
/etc/shorewall/rules file allows limiting of
ACCEPT, DNAT and Action rules.

Limit Action

The Limit Action is a
legacy mechanism that limits connections per source IP. It does not
support the notion of a burst size.